let
  id-reykjavik = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFwwpKfxNmUyBoPZqz1jYc6arCdHPvJrEsBN49m/P3By";
  id-hvannadal = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICy1ocZywBvFHpIj+FvaC7QspRWuLXjy6fwakq9t+0Ev";
  id-thingvellir = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEIvWEwYayFK8iRb4g2+cnQXlqiMBu3aWxTahXkaCNG7";

  # --- Host lists ---
  # Since we want to be able to manage/edit all secrets from reykjavik, we create helper lists that
  # always contain reykjavik
  reykjavik = [id-reykjavik];
  thingvellir = [id-reykjavik id-thingvellir];

  samfelag-hosts = [
    id-reykjavik
    id-hvannadal
    id-thingvellir
  ];
in
{
  # -- Consul -------------------------------
  "consul.d/gossip.json.age".publicKeys = samfelag-hosts;
  "consul.d/consul-agent-ca.pem.age".publicKeys = samfelag-hosts;
  "consul.d/consul-agent-ca-key.pem.age".publicKeys = reykjavik;

  # Server certificates
  "consul.d/samfelag-server-thingvellir-key.pem.age".publicKeys = thingvellir;
  "consul.d/samfelag-server-thingvellir.pem.age".publicKeys = thingvellir;

  # Agent tokens
  "consul.d/agent-token-reykjavik.json.age".publicKeys = reykjavik;
  "consul.d/agent-token-thingvellir.json.age".publicKeys = thingvellir;

  # -- Nomad -------------------------------
  "nomad.d/consul-token-client.json.age".publicKeys = samfelag-hosts;
  "nomad.d/consul-token-server.json.age".publicKeys = thingvellir;
}